hi,
im having problems creating a login script that lets me access a members area. i have created the registration script, that works and connects to the db. its the login side that im having trouble with. here are the files
index.php http://pastebin.com/WUyTnvJQ
connectivity.php http://pastebin.com/j3PaSj1W
Your login form has âconnectivity.phpâ as its action, yet the form processing is in the form itself.
i get these errors too. Notice: Undefined index: name in /home/xxxxxxxxxx.xxx/www/index.php on line 32
Notice: Undefined index: pass in /homexxxxxxxxxxxxx.xxx/www/index.php on line 33
Notice: Undefined index: sublogin in /xxxxxxxxxxxx.xxx/www/index.php on line 34
Notice: Undefined index: pass in /xxxxxxxxxxxx.xxx/www/index.php on line 37
SQLSTATE[42S02]: Base table or view not found: 1146 Table âxxxxxxxxxxxxxx.nameâ doesnât exist
also now the login button doent work at allâŚ
There are a lot of security vulnerabilities in your login script. If you are using PDO, you should be using prepared statements where ever you have the WHERE clause or any user input. Using prepared statements doesnât âmagicallyâ protect yourself from SQL Injections, but it will lessen the vulnerabilities.
Database connections should always be at the top of the page. Including session_start().
These errors are telling you that the $_POST or $_REQUEST variables arenât assigned. You should also use $_POST instead of $_REQUEST because you are getting information that is from a form. Using $_REQUEST will lead to security vulnerabilities because it contains both $_POST and $_GET values and they might not come from the same origin.
Next, you need to rename 'xxxxxxxxxxxxxx` as your actual database.
Now, looking at your index file, I see there are a lot of security problems. Youâre using MD5 for the password, MD5 isnât a password algorithm and isnât intended to be one. You should use PHPâs default password_hash.
When looking to see if the account exist, donât compare both email and password together. You should compare to see if the email exists. If it exists, then pull up the password from the selected email. From there, use the password_verify function to check if the user submitted password is the same as the one that you just pulled. This should all be done through a different set of files since redirecting to the same file multiple times could cause an infinite loop.
Then there are more. Donât use if(isset($_POST['submit'])), if(isset($_POST['btn'])), if(isset($_POST)), .etc. All of these are amateur hacks that are from tutorials that are from the 90âs. The proper way to check if the form was submitted is by using if($_SERVER['REQUEST_METHOD'] == 'POST'). And donât let anyone else tell you otherwise. People who support if(isset($_POST['submit'])), if(isset($_POST['btn])), if(isset($_POST)), .etc are the people who want to keep legacy codes a live.
Simple doesnât always mean secure and not hackable.
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.